State Student Privacy Laws

In addition to the federal student privacy laws,  at least 40 states have passed  student privacy laws in recent years since the controversy over inBloom Inc. first erupted in 2013.

Here is a comprehensive list with links to 99 state student privacy laws passed between 2014 and 2018 that were analyzed for our State Privacy report card.  More details concerning the history and some individual state laws are below.

In 2014,  110 bills were introduced on student data privacy in 36 states, with 24  signed into law.  In  2015, more than 180 student privacy bills were introduced, of which 28 became laws.  In 2016,  34 states introduced 112 bills, of which 18 passed in 15 states, according to the Data Quality Campaign.   In 2017, 36 states introduced 95 bills and approved 31 new laws addressing the use and protection of student data.

  • First, check out the January 2018 State Student Privacy Report Card, created by our Parent Coalition and the Network for Public Education, along with an interactive map that grades every one of the fifty states on its student privacy laws in seven categories: Transparency, Parental and Student Rights; Limitations on Commercial Use of Data; Data Security Requirements; Oversight, Enforcement, and Penalties for Violations, Parties Covered and Other, a catch-all for provisions that did not fit into any of the above categories.  Here is a technical appendix that explains our methodology in more detail.
  • In preparing the report, we created a downloadable matrix with links to the 99 state student privacy laws that were approved between 2013 and 2018,  which also specifies how many points we awarded to each of them and in what category.  If you’d like to check out which student privacy laws your state has passed, this is a good place to start.
  • Snell and Wilner  summarized some notable state student privacy laws in Feb. 2017.
  • You can click here to view student privacy legislation passed in 2017, according to the Data Quality Campaign.
  • An earlier 2016 state-by-state summary is available in the State Student Privacy Law Compendium ,   a joint project between Center for Democracy & Technology (CDT) and BakerHostetler.
  •  In 2015, the   Software & Information Industry Association  posted a   Comparison Chart of 2015 State Laws modeled after the CA law SOPIPA (see below) and a Comparison Chart of 2014 Laws .

Links to some specific state laws are below.  Longer descriptions are from the National Conference of State Legislatures.  You should check out their website as well as here for updates.

  • California : SB 1177 or Student Online Personal Information Protection Act (SOPIPA)  (2014). Summary by Cooley LLP.   SOPIPA prohibits an operator of a website, online service, online application or mobile application from knowingly engaging in targeted advertising to students or their parents or legal guardians. These services and applications also may not use covered information to amass a profile about a K-12 student, sell a student’s information or disclose covered information. The law also addresses security procedures and practices of covered information in order to protect information from unauthorized access, destruction, use, modification or disclosure.  A very comprehensive guide was released in Nov. 2016 by the CA Attorney General office on SOPIPA as well as the two other CA student privacy laws listed below.   Also see the Data Privacy Guide (2015)  on CA student privacy laws,  produced by CETPA, the CCSESA and Fagen Friedman & Fulfrost.
  • California: AB-1584  (2014) Pupil records: privacy: 3rd-party contracts: digital storage services and digital educational software.  Now incorporated as CA Education Code Section  49073.1
  • CaliforniaAB-2799 (2016) Privacy: personal information: preschool and prekindergarten purposes.  Applies student privacy protections to preschool personal data.
  •  Colorado: HB14-1294 (2014);  the Student Data Privacy Act, requires the State Board of Education to publish an inventory of the individual student data currently in the student data system as required by state and federal education mandates, as well as any student data proposed for inclusion in this system. It prohibits the Department of Education from providing individual student data to other organizations or agencies outside the state except under specified circumstances.
  • Georgia: SB 89 (2015), the Student Data Privacy, Accessibility and Transparency Act, requires an inventory of data elements being collected, including a reason for why each is collected; gives parents rights to review their child’s education record and requires schools to provide electronic copies of student records to their parents upon request; requires development of a data security plan for the state data system; requires technology providers working with schools to develop appropriate security procedures and prohibits them from selling personal information about students or using it for targeted advertising; and provides for the Department of Education to designate a Chief Privacy Officer.
  • Idaho: SB 1372 (2014), the Student Data Accessibility, Transparency and Accountability Act of 2014, requires the State Board of Education to create, publish and make publicly available a data inventory that defines individual student data fields included in the student data system. The index must include any individual student data required to be reported by state and federal education mandates; any individual student data proposed for inclusion in the student data system with a statement explaining the reason for inclusion; and any individual student data collected or maintained with no current purpose or reason. The board is required to ensure that any contracts that govern databases, online services, assessments or instructional supports that include student data and are outsourced to private vendors, include express provisions that safeguard privacy and security, contain the restrictions on secondary uses of student data, and provide for data destruction. The act also includes penalties for noncompliance.
  • New York: Education law SB 6356 (2014; but not yet fully enforced as of October 2016) in two parts: § 2-c.  Release of student information to certain entities and § 2-d. Unauthorized release of personally identifiable information . The regulations for § 2D are here.  Allows for the provision of student PII to service providers only under specific conditions, requires high levels of encryption, data deletion and minimization, and prohibits the use of such data for commercial purposes, including marketing or sale.  It also creates a new position of chief privacy officer, who must make security and privacy policy recommendations and develop procedures for transparency, notification and parent complaints; calls for a parents’ bill of rights for data privacy and security and a data inventory for each contract that must be posted on district websites, and more.
  • Oklahoma: HB 1989 (2013), the Student Data Accessibility, Transparency and Accountability Act, requires public reporting of which student data are collected by the state, mandates creation of a statewide student data security plan, and limits the data that can be collected on individual students and how that data can be shared. It establishes new limits on the transfer of student data to federal, state, or local agencies and organizations outside Oklahoma. It also restricts the state from requesting delinquency records, criminal records, medical and health records, social security numbers and biometric information as part of student data collected from local schools and districts.
  • Rhode Island: HB 7124 (2014) limits the use of student data and information obtained by cloud computing service providers when providing services to K-12 educational institutions. It also prohibits the use of such data for commercial purposes, including advertising that benefits the service provider.
  • West Virginia: HB 4316 (2014) outlines state, district and school responsibilities for data inventory and provides for a data governance officer. It requires the State Board of Education to develop guidelines for school districts, requiring them to notify parents of their right to request student information and allow parents to access data specific to their child’s educational record; ensure security when providing student data to parents; make sure student data is provided only to authorized individuals; and detail the time frame within which record requests must be provided.      

State Social Media Legislation

Arkansas

California

Delaware

Illinois (allows schools to request access to personal accounts)

Illinois (bill introduced requiring schools districts to seek a court order to access personal accounts)

Louisiana

New Jersey

Michigan

New Mexico

Oregon

Rhode Island

Utah

Wisconsin